REST API

REST API Access: OAuth 2.0 (Client Credentials Grant)

Overview:
For REST API integrations, our platform uses the OAuth 2.0 protocol, specifically the "client credentials" grant type, to authenticate and authorize external systems.

Step-by-Step Flow

Provisioning Credentials:
- When onboarding a new API client (such as a partner or application), we generate a unique client ID and client secret for them.
- These credentials are securely shared with the client as part of the onboarding process.
Requesting an Access Token:
- To interact with the API, clients must first obtain an access token.
- They do this by making an HTTP POST request to the following:
  - REST API Base URL: https://api.cardlytics.com
  - Endpoint Path: /api/v1/idp/oauth2/token
```
POST https://api.cardlytics.com/api/v1/idp/oauth2/token
Content-Type: application/x-www-form-urlencoded
```
- The request payload must include:
  - client_id: The unique client ID you provided.
  - client_secret: The corresponding client secret.
  - grant_type: This must be set to client_credentials.
  Example payload:
```
client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=client_credentials
```
Receiving the Access Token:
- If the credentials are valid, the API will respond with a JSON object containing:
  - access_token: The bearer token to use for authentication.
  - expires_in: The token's validity period in seconds (e.g., 3600 seconds = 1 hour).
  - token_type: "Bearer".
  Example response:
```
{
  "access_token": "abcdef123456...",
  "expires_in": 3600,
  "token_type": "Bearer"
}
```
Using the Access Token:
- The client includes the access_token in the Authorization header when making subsequent API requests:
```
Authorization: Bearer <access_token>
```
- The API validates the token, ensuring only authorized clients can access the specified endpoints.

📘
Interactive API Testing
Ready to test the API?
👉 Visit our Interactive API Reference to try out endpoints with real requests.